Bug #167
Sylpheed does not check SSL certificate hostname
0%
Description
When Sylpheed connects to an IMAP/SMTP/POP server over SSL, it does not check the hostname on the SSL certificate. This is a major security problem, because it means an attacker can man-in-the-middle a SSL connection by purchasing a valid certificate for his/her own domain and using it in the attack. Since the certificate is valid, Sylpheed accepts it, even though it's not for the hostname Sylpheed thinks it's connecting to.
The attached patch fixes the problem by making sure the name on the certificate matches the hostname Sylpheed is connecting to. The code to properly check a certificate's hostname with OpenSSL is not simple, so I used the MIT-licensed example code provided here: https://github.com/iSECPartners/ssl-conservatory
Files
Updated by Hiroyuki Yamamoto over 8 years ago
- Status changed from New to Confirmed
- Assignee set to Hiroyuki Yamamoto
- Target version set to 3.4
Hello,
Thanks for the patch. I will add the SSL certificate hostname check in the next 3.4 release.
(and sorry about not replying your e-mail you have sent last month.)
Updated by Hiroyuki Yamamoto over 8 years ago
- Status changed from In Progress to Resolved
Fixed in r3318:3323.
- separated additional code to independent files because of different license
- modified naming convention to match LibSylph
- used X509_V_ERR_APPLICATION_VERIFICATION to represent hostname mismatch
- modified SOCKS proxy code to validate with endpoint hostname
Updated by Hiroyuki Yamamoto over 8 years ago
- Status changed from Resolved to In Progress
It was found that the patch does not check wildcard certificate (*.some.domain) at all.
I'll add it until next release.
Updated by Hiroyuki Yamamoto over 8 years ago
- Status changed from In Progress to Resolved
Fixed in 3.4.0rc.
Updated by boddy massage 2 months ago
We are one of the best body massage service providers in bangalore. Call us for female to male full body massage. We are Offering professional full body massage in bangalore.
http://boddymsg.com/
http://boddymsg.com/services.html
http://boddymsg.com/contact.html
http://boddymsg.com/body_to_body_msg_bang.html
http://boddymsg.com/female_to_male_msg.html
http://boddymsg.com/spa_near_mebang.html
http://boddymsg.com/swedish_msg_bang.html
http://boddymsg.com/ban_msg_center.html
http://boddymsg.com/erotic_msg_bang.html
http://boddymsg.com/hot_stone_massage.html
http://boddymsg.com/full_body_msg.html
http://boddymsg.com/happy_ending_msg.html
http://boddymsg.com/ladies_parlour_me.html
http://boddymsg.com/deep_tissue_msg.html
http://boddymsg.com/female_to_male.html
http://boddymsg.com/body_msg.html
http://boddymsg.com/sensual_msg.html
http://boddymsg.com/body_to_body_spa_nearme.html
http://boddymsg.com/aromatherapy_msg_bang.html
http://boddymsg.com/thai_spa_near_me.html
http://boddymsg.com/nuru_msg_bangalore.html
http://boddymsg.com/msg_center_near_me_bangalore.html
http://boddymsg.com/couples_msg_bang.html
http://boddymsg.com/body_msg_spa_near_me.html
http://boddymsg.com/msg_par_near_me.html
http://boddymsg.com/carn_therapy.html
http://boddymsg.com/msg_spa_near_me.html
http://boddymsg.com/massage_spa.html
http://boddymsg.com/sarjapura.html
http://boddymsg.com/jigani.html
http://boddymsg.com/chandapura.html
http://boddymsg.com/anekal.html
http://boddymsg.com/attibele.html
http://boddymsg.com/madiwala.html
http://boddymsg.com/bommanahalli.html
http://boddymsg.com/yaswanthpur.html
http://boddymsg.com/yelahanka.html
http://boddymsg.com/mathikere.html
http://boddymsg.com/jalahalli.html
http://boddymsg.com/kammanahalli.html
http://boddymsg.com/ramamurthy_nagar.html
http://boddymsg.com/banaswadi.html
http://boddymsg.com/kalyan_nagar.html
http://boddymsg.com/bellundur.html
http://boddymsg.com/sadashivanagar.html
http://boddymsg.com/frazer_town.html
http://boddymsg.com/rajaji_nagar.html
http://boddymsg.com/malleshwaram.html
http://boddymsg.com/jaya_nagar.html
http://boddymsg.com/basavangudi.html
http://boddymsg.com/indira_nagar.html
http://boddymsg.com/KR_Market.html
http://boddymsg.com/KR_Puram.html
http://boddymsg.com/koramangala.html
http://boddymsg.com/marathahalli.html
http://boddymsg.com/bannerghatta_road.html
http://boddymsg.com/hebbal.html
http://boddymsg.com/JP_nagar.html
http://boddymsg.com/HSR_layout.html
http://boddymsg.com/lalbagh.html
http://boddymsg.com/electronic_city.html
http://boddymsg.com/whitfield.html
http://boddymsg.com/brookefield.html
http://boddymsg.com/banashankari.html
http://boddymsg.com/majestic.html
http://boddymsg.com/shivaji_nagar.html
http://boddymsg.com/victoria_layout.html
http://boddymsg.com/jayanagar.html
http://boddymsg.com/all_over_bangalore.html
http://boddymsg.com/bangalore.html
http://boddymsg.com/index.html
http://kamasutramsg.in/
http://kamasutramsg.in/index.html